By Amy Hogan-Burney, Corporate Vice President, Customer Security & Trust
In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data — a trend driven more by financial gain than intelligence gathering.
According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%.
Nation-state threats remain a serious and persistent concern, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.
Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals — even those with limited technical expertise — to expand their operations significantly.
The use of AI has further accelerated this trend, with cybercriminals developing malware faster and generating more realistic synthetic content, enhancing the efficiency of phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone — big or small — making cybercrime a universal, ever-present threat that spills into our daily lives.
In this environment, organizational leaders must treat cybersecurity as a core strategic priority — not just an IT issue — and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough. We need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat.
For individuals, simple steps like using strong security tools — especially phishing-resistant multifactor authentication (MFA) — make a big difference, as MFA can block over 99% of identity-based attacks.
Below are some of the key findings:
Critical services are prime targets with real-world impact
Malicious actors remain focused on attacking critical public services — targets that, when compromised, can have a direct and immediate impact on people’s lives. Hospitals and local governments, for example, are frequent targets because they store sensitive data or have tight cybersecurity budgets and limited incident response capabilities, often resulting in outdated software.
In the past year, cyberattacks on these sectors had real-world consequences, including delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.
Ransomware actors in particular focus on these critical sectors because of the targets’ limited options. For example, a hospital must quickly restore its encrypted systems or patients’ lives could be at risk — often leaving no recourse but to pay. Additionally, governments, hospitals, and research institutions store sensitive data that criminals can steal and monetize through illicit marketplaces on the dark web, fueling further criminal activity.
Government and industry can collaborate to strengthen cybersecurity in these sectors — particularly for the most vulnerable. These efforts are critical to protecting communities and ensuring continuity of care, education, and emergency response.
Nation-state actors are expanding operations
While cybercriminals are the biggest cyber threat by volume, nation-state actors still target key industries and regions, expanding their focus on espionage — and, in some cases, financial gain. Geopolitical objectives continue to drive a surge in state-sponsored cyber activity, with a notable expansion in targeting communications, research, and academia.
Key insights:
- China continues its broad push across industries to conduct espionage and steal sensitive data. State-affiliated actors are increasingly attacking non-governmental organizations (NGOs) to expand their insights, using covert networks and vulnerable internet-facing devices to gain entry and avoid detection. They have also become faster at exploiting newly disclosed vulnerabilities.
- Iran is going after a wider range of targets than ever before — from the Middle East to North America — as part of its broadening espionage operations. Recently, three Iranian state-affiliated actors attacked shipping and logistics firms in Europe and the Persian Gulf to gain ongoing access to sensitive commercial data, raising the possibility that Iran may be pre-positioning to interfere with commercial shipping operations.
- Russia, while still focused on the war in Ukraine, has expanded its targets. Microsoft has observed Russian state-affiliated actors targeting small businesses in countries supporting Ukraine. Outside of Ukraine, the top ten countries most affected by Russian cyber activity all belong to the North Atlantic Treaty Organization (NATO) — a 25% increase compared to last year. Russian actors may view these smaller companies as less resource-intensive pivot points to access larger organizations. These actors are also increasingly leveraging the cybercriminal ecosystem for their attacks.
- North Korea remains focused on revenue generation and espionage. Thousands of state-affiliated North Korean remote IT workers have applied for jobs with companies around the world, sending their salaries back to the government as remittances. When discovered, some of these workers have turned to extortion as another means of generating funds for the regime.
The cyber threats posed by nation-states are becoming more expansive and unpredictable. The shift by some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated. This underscores the need for organizations to stay abreast of threats to their industries and work with both industry peers and governments to confront them.
2025 saw an escalation in use of AI by both attackers and defenders
Over the past year, both attackers and defenders have harnessed the power of generative AI. Threat actors are using AI to boost their attacks by automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and developing adaptive malware.
Nation-state actors, too, have continued incorporating AI into their cyber influence operations. This activity has increased in the past six months as actors use the technology to make their efforts more advanced, scalable, and targeted.
For defenders, AI is proving to be a valuable tool. Microsoft, for example, uses AI to spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users. As both the risks and opportunities of AI evolve rapidly, organizations must prioritize securing their AI tools and training their teams. Everyone — from industry to government — must be proactive to keep pace with increasingly sophisticated attackers and ensure that defenders stay one step ahead.
Adversaries aren’t breaking in — they’re signing in
Amid the growing sophistication of cyber threats, one statistic stands out: more than 97% of identity attacks are password attacks. In the first half of 2025 alone, identity-based attacks surged by 32%. That means the vast majority of malicious sign-in attempts an organization receives are large-scale password guessing attempts.
Attackers acquire usernames and passwords (“credentials”) for these bulk attacks largely from credential leaks. However, credential leaks aren’t the only source.
This year, we saw a surge in the use of infostealer malware by cybercriminals. Infostealers can secretly gather credentials and information about online accounts — like browser session tokens — at scale. Cybercriminals can then buy this stolen information on cybercrime forums, making it easy for anyone to access accounts for purposes such as delivering ransomware.
Luckily, the solution to identity compromise is simple. Implementing phishing-resistant multifactor authentication (MFA) can stop over 99% of these attacks, even if the attacker has the correct username and password.
To target the malicious supply chain, Microsoft’s Digital Crimes Unit (DCU) is fighting back against the cybercriminal use of infostealers. In May, the DCU disrupted the most popular infostealer — Lumma Stealer — alongside the U.S. Department of Justice and Europol.
Moving forward: Cybersecurity is a shared defensive priority
As threat actors grow more sophisticated, persistent, and opportunistic, organizations must stay vigilant, continually updating their defenses and sharing intelligence. Microsoft remains committed to strengthening our products and services through our Secure Future Initiative. We also continue to collaborate with others to track threats, alert targeted customers, and share insights with the broader public when appropriate.
However, security is not only a technical challenge but also a governance imperative. Defensive measures alone are not enough to deter nation-state adversaries. Governments must build frameworks that signal credible and proportionate consequences for malicious activity that violates international rules.
Encouragingly, governments are increasingly attributing cyberattacks to foreign actors and imposing consequences such as indictments and sanctions. This growing transparency and accountability are important steps toward building collective deterrence.
As digital transformation accelerates — amplified by the rise of AI — cyber threats pose risks to economic stability, governance, and personal safety. Addressing these challenges requires not only technical innovation but coordinated societal action.
—
About the author
Amy Hogan-Burney is the Vice President for Cybersecurity Policy & Protection (CPP). CPP includes Microsoft’s Digital Security Unit, Cybersecurity Policy and Digital Diplomacy teams, and the Digital Crimes Unit and is a global team of attorneys, security strategists, investigators, engineers, and analysts. CPP is responsible for managing compliance with cybersecurity regulations while shaping evolving requirements, advocating for digital peace and rules of nation state conduct in cyberspace, developing productive partnerships with the public and private sector to address cybersecurity and crime, and seeking to disrupt nation state actors and cybercriminals through legal and technical methods.
Prior to leading CPP, Ms. Hogan-Burney led the Digital Crimes Unit and the Privacy Compliance team during the implementation of the EU’s General Data Protection Regulation. She started her career at Microsoft managing the Law Enforcement and National Security team ensuring Microsoft’s compliance with law enforcement and national security legal obligations.
Before entering the private sector Ms. Hogan-Burney was an attorney at the U.S. Department of Justice, Federal Bureau of Investigation. She received her Bachelor of Biomedical Engineering from the Catholic University School of Engineering and her Juris Doctor from the Columbus School of Law at the Catholic University.
